US10594719B2ActiveUtilityA1

Systems and methods for remote identification of enterprise threats

73
Assignee: KIVU CONSULTING INCPriority: Aug 30, 2016Filed: Aug 23, 2017Granted: Mar 17, 2020
Est. expiryAug 30, 2036(~10.1 yrs left)· nominal 20-yr term from priority
G06F 2221/034G06F 21/577H04L 63/1441H04L 63/1433H04L 63/0428
73
PatentIndex Score
2
Cited by
7
References
17
Claims

Abstract

Embodiments of the present invention provide techniques, systems, and methods for remote, agent-less enterprise computer threat data collection, malicious threat analysis, and identification and reporting of potential and real threats present on an enterprise computer system. Specifically, embodiments are directed to a system that securely collects system information from computers across the enterprise, internally encrypts and analyzes the collected information for indicators of compromise, threatening behavior, and known vulnerabilities, and generates alerts regarding known and potential threats for further analysis and remediation. If potential threats are identified, the system may deploy a memory analysis module that takes a deeper analysis of the potentially compromised computer to obtain more information about the potential threat. The remote, agent-less collection, analysis, and identification process can be repeated periodically to obtain additional information over time in order to identify the nature of the threat, and may delete itself after completion to avoid detection.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method, comprising:
 receiving, at a threat analysis system, threat parameters associated with an enterprise management system; 
 configuring a tool based on the threat parameters; 
 distributing the tool to a plurality of computing systems in an enterprise managed by the enterprise management system, the tool configured to be executed by the threat analysis system remote from the plurality of computing systems, wherein at each computing system the tool:
 collects a system data set based on the threat parameters associated with the computing system; and 
 sends the system data set to a data store; 
 
 obtaining a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems; 
 analyzing the plurality of system data sets to identify potential threats, wherein analyzing the plurality of system data sets to identify potential threats comprises:
 comparing each system data set of the plurality of system data sets to a database of known threat indicators, 
 identifying at least one system data set matching one or more threat indicators of the database of known threat indicators, and 
 for each of the at least one system data set matching the one or more threat indicators:
 determining a file identifier, a computing system identifier, a type of threat indicator, and a threat identifier associated with the system data set, and 
 logging the file identifier, the computing system identifier, the type of threat indicator, and the threat identifier for use in the threat report; 
 
 
 generating a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; 
 analyzing a memory of the one or more computing systems associated with the one or more identified potential threats using a second tool to produce a memory threat report; and 
 causing an alert, including the threat report and the memory threat report, to be provided to the enterprise management system. 
 
     
     
       2. The method of  claim 1 , wherein the analyzing the memory on the one or more computing systems associated with the one or more identified potential threats using a second tool to produce the memory threat report, further comprises:
 identifying the one or more computing systems of the plurality of computing systems associated with the one or more identified potential threats; 
 configuring the second tool to collect memory information from the one or more identified computing systems associated with the one or more identified potential threats; 
 distributing the second tool to the one or more identified computing systems, wherein at each computing system the second tool: 
 collects a memory data set associated with the computing system; and 
 sends the memory data set to the data store; 
 obtaining one or more memory data sets associated with the one or more identified computing systems; 
 analyzing the one or more memory data sets to identify real threats; and 
 generating the memory threat report including one or more identified real threats. 
 
     
     
       3. The method of  claim 1 , wherein analyzing the plurality of system data sets to identify potential threats further comprises:
 comparing each system data set of the plurality of system data sets to a previously stored system data set for the computing system associated with the system data set; 
 identifying one or more differences between the previously stored system data set for at least one of the plurality of computing systems; 
 for each of the at least one of the plurality of computing systems: 
 for each difference of the one or more differences: 
 comparing the difference to a database of behavioral threat indicators; 
 identifying a behavioral threat indicator matching the difference; 
 determining a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and 
 logging the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report. 
 
     
     
       4. The method of  claim 1 , wherein analyzing the plurality of system data sets to identify potential threats further comprises:
 for each system data set of the plurality of system data sets: 
 comparing the system data set to a reference system data set; and 
 identifying one or more differences between the system data set and the reference system data set for at least one of the plurality of system data sets; 
 for each difference of the one or more differences: 
 comparing the difference to a database of behavioral threat indicators; 
 identifying a behavioral threat indicator matching the difference; 
 determining a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and 
 logging the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report. 
 
     
     
       5. The method of  claim 1 , further comprising:
 receiving confirmation that at least one of the one or more identified potential threats indicates a real threat; 
 generating a hash of the system data set associated with the real threat; 
 updating the database of known threat indicators to include the hash of the system data set associated with the real threat. 
 
     
     
       6. The method of  claim 1 , further comprising:
 receiving confirmation that at least one of the one or more identified potential threats indicates a real threat; 
 identifying one or more indicators of the system data associated with the at least one identified potential threat; and 
 updating a database of known threat indicators to include the one or more indicators of the system data associated with the threat. 
 
     
     
       7. The method of  claim 1 , wherein before analyzing the plurality of system data sets, the method further comprises:
 identifying identical system data between the plurality of system data sets; and 
 removing the identical system data from the plurality of system data sets. 
 
     
     
       8. The method of  claim 1 , further comprising:
 encrypting the collected system data set prior to sending the collected system data to the data store; and 
 decrypting the plurality of system data set prior to analyzing to identify potential threats. 
 
     
     
       9. The method of  claim 1 , wherein the tool is deleted from the two or more computing systems after being run to reduce detection by the one or more identified potential threats. 
     
     
       10. A computing device comprising:
 a processor; and 
 a non-transitory computer-readable medium comprising code, executable by the processor, to perform a method comprising:
 receiving threat parameters associated with an enterprise management system; 
 configuring a tool based on the threat parameters; 
 distributing the tool to a plurality of computing systems in the enterprise, the tool configured to be executed by the computing device remote from the plurality of computing systems, wherein at each computing system the tool:
 collects a system data set based on the threat parameters associated with the computing system; and 
 sends the system data set to a data store; 
 
 obtaining a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems; 
 analyzing the plurality of system data sets to identify potential threats, wherein analyzing the plurality of system data sets to identify potential threats comprises: 
 comparing each system data set of the plurality of system data sets to a database of known threat indicators, 
 identifying at least one system data set matching one or more threat indicators of the database of known threat indicators, and 
 for each of the at least one system data set matching the one or more threat indicators:
 determining a file identifier, a computing system identifier, a type of threat indicator, and a threat identifier associated with the system data set, and 
 logging the file identifier, the computing system identifier, the type of threat indicator, and the threat identifier for use in the threat report; 
 
 generating a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; 
 analyzing a memory of the one or more computing systems associated with the one or more identified potential threats using a second tool to produce a memory threat report; and 
 causing an alert, including the threat report and the memory threat report, to be provided to the enterprise management system. 
 
 
     
     
       11. The computing device of  claim 10 , wherein the method further comprises:
 identifying the one or more computing systems of the plurality of computing systems associated with the one or more identified potential threats; 
 configuring the second tool to collect memory information from the one or more identified computing systems associated with the one or more identified potential threats; 
 distributing the second tool to the one or more identified computing systems, wherein at each computing system the second tool:
 collects a memory data set associated with the computing system; and 
 sends the memory data set to the data store; 
 
 obtaining one or more memory data sets associated with the one or more identified computing systems; 
 analyzing the one or more memory data sets to identify real threats; and 
 generating the memory threat report including one or more identified real threats. 
 
     
     
       12. The computing device of  claim 10 , wherein analyzing the plurality of system data sets to identify potential threats further comprises:
 comparing each system data set of the plurality of system data sets to a previously stored system data set for the computing system associated with the system data set; 
 identifying one or more differences between the previously stored system data set for at least one of the plurality of computing systems; 
 for each of the at least one of the plurality of computing systems: 
 for each difference of the one or more differences: 
 comparing the difference to a database of behavioral threat indicators; 
 identifying a behavioral threat indicator matching the difference; 
 determining a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and 
 logging the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report. 
 
     
     
       13. The computing device of  claim 10 , wherein analyzing the plurality of system data sets to identify potential threats further comprises:
 for each system data set of the plurality of system data sets:
 comparing the system data set to a reference system data set; and 
 identifying one or more differences between the system data set and the reference system data set for at least one of the plurality of system data sets; for each difference of the one or more differences: 
 comparing the difference to a database of behavioral threat indicators; 
 identifying a behavioral threat indicator matching the difference; 
 determining a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and 
 logging the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report. 
 
 
     
     
       14. The computing device of  claim 10 , wherein the method further comprises:
 receiving confirmation that at least one of the one or more identified potential threats indicates a real threat; 
 generating a hash of the system data set associated with the real threat; 
 updating the database of known threat indicators to include the hash of the system data set associated with the real threat. 
 
     
     
       15. A system comprising:
 a threat analysis computing device configured to:
 receive threat parameters associated with an enterprise management system; 
 configure a tool based on the threat parameters; 
 distribute the tool to a plurality of computing systems in the enterprise, the tool configured to be executed by the threat analysis computing device remote from the plurality of computing systems; 
 obtain a plurality of system data sets associated with the plurality of computing systems from a data store, each system data set associated with one of the plurality of computing systems; 
 analyze the plurality of system data sets to identify potential threats, wherein the threat analysis computing device configured to analyze the plurality of system data sets to identify potential threats further comprises the threat analysis computing device configured to:
 compare each system data set of the plurality of system data sets to a database of known threat indicators; 
 identify at least one system data set matching one or more threat indicators of the database of known threat indicators; and 
 for each of the at least one system data set matching the one or more threat indicators: determine a file identifier, a computing system identifier, a type of threat indicator, and a threat identifier associated with the system data set; and log the file identifier, the computing system identifier, the type of threat indicator, and the threat identifier for use in the threat report; 
 
 generate a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; 
 analyze a memory of the one or more computing systems associated with the one or more identified potential threats using a second tool to produce a memory threat report; and 
 cause an alert, including the threat report and the memory threat report, to be provided to the enterprise management system; 
 
 the enterprise management system configured to:
 provide the threat parameters associated with the tool to the threat analysis computing device; 
 receive the threat report including the one or more identified potential threats from the threat analysis computing device; and 
 mediate the one or more identified threats on the one or more computing systems for the plurality of computing systems; and the plurality of computing systems in the enterprise, wherein each of the plurality of computing systems are configured to: 
 receive the tool; and 
 execute the tool, wherein the tool is configured to:
 collect a system data set based on the threat parameters associated with the computing system; and 
 send the system data set to a data store. 
 
 
 
     
     
       16. The system of  claim 15 , wherein the threat analysis computing device is further configured to:
 identify the one or more computing systems of the plurality of computing systems associated with the one or more identified potential threats; 
 configure the second tool to collect memory information from the one or more identified computing systems associated with the one or more identified potential threats; 
 distribute the second tool to the one or more identified computing systems, wherein the each of the one or more identified computing systems executes the second tool to: 
 collect a memory data set associated with the computing system; and 
 send the memory data set to the data store; 
 obtain one or more memory data sets associated with the one or more identified computing systems; 
 analyze the one or more memory data sets to identify real threats; and 
 generate the memory threat report including one or more identified real threats. 
 
     
     
       17. The system of  claim 15 , wherein the threat analysis computing device configured to analyze the plurality of system data sets to identify potential threats further comprises the threat analysis computing device configured to:
 compare each system data set of the plurality of system data sets to a previously stored system data set for the computing system associated with the system data set; 
 identify one or more differences between the previously stored system data set for at least one of the plurality of computing systems; 
 for each of the at least one of the plurality of computing systems: 
 for each difference of the one or more differences: 
 compare the difference to a database of behavioral threat indicators; 
 identify a behavioral threat indicator matching the difference; 
 determine a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and 
 log the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.